SOLVED

Authenticating onpremise users in Azure ADDS

%3CLINGO-SUB%20id%3D%22lingo-sub-2299606%22%20slang%3D%22en-US%22%3EAuthenticating%20onpremise%20users%20in%20Azure%20ADDS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2299606%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EHi%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3Ewe%20want%20onpremises%20users%20to%20authenticate%20to%20Azure%20ADDS%20with%20their%20onpremises%20domain%20credentials%20to%20maintain%20the%20default%20password%20and%20GPO.%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EIt%20is%20possible%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2299705%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticating%20onpremise%20users%20in%20Azure%20ADDS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2299705%22%20slang%3D%22en-US%22%3EIn%20a%20hybrid%20environment%2C%20objects%20and%20credentials%20from%20an%20on-premises%20AD%20DS%20domain%20can%20be%20synchronized%20to%20Azure%20AD%20using%20Azure%20AD%20Connect.%20Once%20those%20objects%20are%20successfully%20synchronized%20to%20Azure%20AD%2C%20the%20automatic%20background%20sync%20then%20makes%20those%20objects%20and%20credentials%20available%20to%20applications%20using%20the%20managed%20domain.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat's%20not%20synchronize%20from%20an%20on-premises%20AD%20DS%20environment%20to%20Azure%20AD%20or%20Azure%20AD%20DS%3A%3CBR%20%2F%3EOU's%20%2C%20Group%20policy%2C%20excluded%20attribute%2C%20sysvol%2C%20computer%20objects%2C%20SidHistory%20attributes%20for%20users%20and%20groups%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2303468%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticating%20onpremise%20users%20in%20Azure%20ADDS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2303468%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20to%20add%20to%20what%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F307733%22%20target%3D%22_blank%22%3E%40Seshadrr%3C%2FA%3E%26nbsp%3Bsaid%20already%3A%3C%2FP%3E%3CUL%3E%3CLI%3Eobjects%20(users%20and%20groups)%20in%20AAD%20DS%20directory%20have%20different%20SIDs%20(it's%20a%20different%20domain%2Fforest%20than%20the%20on-premises%20one)%2C%20but%20the%20original%20SIDs%20(source%20objects)%20are%20saved%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fsynchronization%23attribute-synchronization-and-mapping-to-azure-ad-ds%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESIDHistory%3C%2FA%3E%3C%2FLI%3E%3CLI%3Eusers%20will%20be%20using%20different%20UPN%20suffix%20(the%20one%20you%20choose%20when%20you%20enable%20AAD%20DS%20in%20your%20environment)%2C%20but%20the%20prefix%20will%20be%20the%20same%20as%20in%20the%20original%20ADDS%20domain.%3C%2FLI%3E%3CLI%3Epasswords%3A%20the%20idea%20with%20AADDS%20is%20to%20be%20able%20to%20use%20the%20same%20credentials%2C%20but%20it%20requires%20Password-Hash-Sync%20enabled%20in%20AAD%20Connect%20configuration%20as%20described%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Ftutorial-configure-password-hash-sync%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%3CLI%3EOU%20structure%20and%20GPOs%20are%20not%20replicated%20to%20AADDS%2C%20but%20you%20can%20still%20create%20custom%20OUs%20and%20GPOs%20in%20the%20managed%20AADDS%20directory.%20You%20just%20need%20to%20export%2Fimport%20or%20re-create%20them%20manually%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2311794%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticating%20onpremise%20users%20in%20Azure%20ADDS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2311794%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CBR%20%2F%3EI'm%20assuming%20that%20you're%20talking%20about%20Azure%20AD%20and%20not%20Azure%20ADDS%20which%20is%20a%20managed%20domain%20services%20and%20cannot%20by%20design%20handle%20local%20identites%26nbsp%3B%20.%20Currently%20your%20users%20have%20%22local%20identities%22%20so%20to%20be%20able%20to%20leverage%20Azure%20AD%20with%20the%20same%20identity%20you%20need%20to%20convert%20those%20objects%20to%20%22hybrid%20identities%22%3CBR%20%2F%3EHow%20%3F%3CBR%20%2F%3EYou%20need%20to%20download%20Azure%20AD%20connect%20and%20configure%20it%20to%20sync%20your%20users%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fwhatis-azure-ad-connect%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fwhatis-azure-ad-connect%3C%2FA%3E%3CBR%20%2F%3EYou%20may%20alo%20need%20to%20look%20at%20Azure%20AD%20connect%20cloud%20sync%20which%20is%20the%20new%20offering%20.%3CBR%20%2F%3EYou%20can%20use%20the%20below%20link%20to%20know%20more%20about%20this%20tool%20and%20see%20the%20comparison%20between%20the%20two.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcloud-sync%2Fwhat-is-cloud-sync%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcloud-sync%2Fwhat-is-cloud-sync%3C%2FA%3E%3CBR%20%2F%3EYou%20can%20find%20bunch%20of%20informations%20about%20best%20practices%20for%20the%20install%20like%20below%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fthesysadminchannel.com%2Fazure-ad-connect-best-practices-installation-guide%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fthesysadminchannel.com%2Fazure-ad-connect-best-practices-installation-guide%2F%3C%2FA%3E%3CBR%20%2F%3EOnce%20the%20directory%20synchronisation%20and%20in%20place%20your%20users%20can%20leverage%20their%20user%20principal%20names%20to%20connect%20Microsoft%20Online%20Services%20with%20the%20same%20password%20.%20Also%20You%20can%20configure%20Single%20Sign%20On%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

we want onpremises users to authenticate to Azure ADDS with their onpremises domain credentials to maintain the default password and GPO.

 

It is possible?

 

Thanks.

3 Replies
In a hybrid environment, objects and credentials from an on-premises AD DS domain can be synchronized to Azure AD using Azure AD Connect. Once those objects are successfully synchronized to Azure AD, the automatic background sync then makes those objects and credentials available to applications using the managed domain.

What's not synchronize from an on-premises AD DS environment to Azure AD or Azure AD DS:
OU's , Group policy, excluded attribute, sysvol, computer objects, SidHistory attributes for users and groups
best response confirmed by Sandro Alves (Occasional Contributor)
Solution

Just to add to what @Seshadrr said already:

  • objects (users and groups) in AAD DS directory have different SIDs (it's a different domain/forest than the on-premises one), but the original SIDs (source objects) are saved to SIDHistory
  • users will be using different UPN suffix (the one you choose when you enable AAD DS in your environment), but the prefix will be the same as in the original ADDS domain.
  • passwords: the idea with AADDS is to be able to use the same credentials, but it requires Password-Hash-Sync enabled in AAD Connect configuration as described here.
  • OU structure and GPOs are not replicated to AADDS, but you can still create custom OUs and GPOs in the managed AADDS directory. You just need to export/import or re-create them manually

Hi
I'm assuming that you're talking about Azure AD and not Azure ADDS which is a managed domain services and cannot by design handle local identites  . Currently your users have "local identities" so to be able to leverage Azure AD with the same identity you need to convert those objects to "hybrid identities"
How ?
You need to download Azure AD connect and configure it to sync your users

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
You may alo need to look at Azure AD connect cloud sync which is the new offering .
You can use the below link to know more about this tool and see the comparison between the two.
https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync
You can find bunch of informations about best practices for the install like below
https://thesysadminchannel.com/azure-ad-connect-best-practices-installation-guide/
Once the directory synchronisation and in place your users can leverage their user principal names to connect Microsoft Online Services with the same password . Also You can configure Single Sign On .